Bug 1751227 (CVE-2019-14838) - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default
Summary: CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' an...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14838
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1746952
TreeView+ depends on / blocked
 
Reported: 2019-09-11 13:16 UTC by Paramvir jindal
Modified: 2019-12-02 17:21 UTC (History)
65 users (show)

Fixed In Version: wildfly-core 7.2.5.GA
Doc Type: If docs needed, set a value
Doc Text:
It was found that Wildfly users had default user permissions set incorrectly. A malicious user could use this flaw to access unauthorized controls for the application server.
Clone Of:
Environment:
Last Closed: 2019-10-15 18:51:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3082 None None None 2019-10-15 17:35:45 UTC
Red Hat Product Errata RHSA-2019:3083 None None None 2019-10-15 17:08:41 UTC
Red Hat Product Errata RHSA-2019:4018 None None None 2019-11-26 19:55:54 UTC
Red Hat Product Errata RHSA-2019:4019 None None None 2019-11-26 20:00:14 UTC
Red Hat Product Errata RHSA-2019:4020 None None None 2019-11-26 19:57:27 UTC
Red Hat Product Errata RHSA-2019:4021 None None None 2019-11-26 19:59:02 UTC
Red Hat Product Errata RHSA-2019:4040 None None None 2019-12-02 17:03:44 UTC
Red Hat Product Errata RHSA-2019:4041 None None None 2019-12-02 17:03:08 UTC
Red Hat Product Errata RHSA-2019:4042 None None None 2019-12-02 17:04:01 UTC
Red Hat Product Errata RHSA-2019:4045 None None None 2019-12-02 17:21:36 UTC

Description Paramvir jindal 2019-09-11 13:16:51 UTC
Tested in JBoss EAP 7.2.3 GA :

The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server as mentioned in Table 2.1 and 2.2 in our product documentation :

https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/security_architecture/index#rbac

But it has been observed that these users can perform this operation. They can stop any server running in domain mode :

--------------------------------------
[domain@localhost:9990 /] /host=master/server-config=server-one:stop()
{
    "outcome" => "success",
    "result" => "STOPPING"
}

[domain@localhost:9990 /] /host=master/server-config=server-one:start()
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'start' for resource '[
    (\"host\" => \"master\"),
    (\"server-config\" => \"server-one\")
]' -- \"WFLYCTL0332: Permission denied\"",
    "rolled-back" => true
}
-------------------------------------

There users are allowed "stop" the server but they cannot "start" it. Ideally they should not be able to stop or start any server.

Comment 3 Paramvir jindal 2019-09-12 05:54:42 UTC
I have tested it in EAP 6.4.22 and it is working as expected. EAP 6 is not affected :

-----------------------------
[domain@localhost:9999 /] /host=master/server-config=server-one:stop()
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'stop' for resource '[
    (\"host\" => \"master\"),
    (\"server-config\" => \"server-one\")
]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
[domain@localhost:9999 /] /host=master/server-config=server-one:start()
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'start' for resource '[
    (\"host\" => \"master\"),
    (\"server-config\" => \"server-one\")
]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
-----------------------------

Comment 9 Paramvir jindal 2019-10-15 06:30:49 UTC
JDV 6 is not affected :

-------------------
[domain@localhost:9999 /] /host=master/server-config=server-one:stop()
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'stop' for resource '[
    (\"host\" => \"master\"),
    (\"server-config\" => \"server-one\")
]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
--------------------

Comment 11 errata-xmlrpc 2019-10-15 17:08:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:3083 https://access.redhat.com/errata/RHSA-2019:3083

Comment 12 errata-xmlrpc 2019-10-15 17:35:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:3082 https://access.redhat.com/errata/RHSA-2019:3082

Comment 13 Product Security DevOps Team 2019-10-15 18:51:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14838

Comment 14 Laura Pardo 2019-10-16 19:30:55 UTC
Acknowledgments:

Name: Fábio Magalhães de Andrade (Sonda Ativas), Leonard Lunardi (UnimedBH), Juliano de Castro Santos (UnimedBH)

Comment 15 Gabriel Rocha 2019-10-17 09:40:19 UTC
External References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14838

Comment 16 errata-xmlrpc 2019-11-26 19:55:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:4018 https://access.redhat.com/errata/RHSA-2019:4018

Comment 17 errata-xmlrpc 2019-11-26 19:57:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:4020 https://access.redhat.com/errata/RHSA-2019:4020

Comment 18 errata-xmlrpc 2019-11-26 19:59:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:4021 https://access.redhat.com/errata/RHSA-2019:4021

Comment 19 errata-xmlrpc 2019-11-26 20:00:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:4019 https://access.redhat.com/errata/RHSA-2019:4019

Comment 20 errata-xmlrpc 2019-12-02 17:03:06 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:4041 https://access.redhat.com/errata/RHSA-2019:4041

Comment 21 errata-xmlrpc 2019-12-02 17:03:41 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:4040 https://access.redhat.com/errata/RHSA-2019:4040

Comment 22 errata-xmlrpc 2019-12-02 17:03:59 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:4042 https://access.redhat.com/errata/RHSA-2019:4042

Comment 23 errata-xmlrpc 2019-12-02 17:21:34 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2019:4045 https://access.redhat.com/errata/RHSA-2019:4045


Note You need to log in before you can comment on or make changes to this bug.